InfoSecCon - CorreLog Peter Mills_final

48
Bridge the Gap: How to Use an Enterprise Product You Already Own to Enhance z/OS Security Peter Mills Vice President Development & Support CorreLog, Inc. [email protected] © 2015 CorreLog, Inc.

Transcript of InfoSecCon - CorreLog Peter Mills_final

Page 1: InfoSecCon - CorreLog Peter Mills_final

Bridge the Gap: How to Use an Enterprise

Product You Already Own to Enhance z/OS

Security

Peter Mills Vice President Development & Support

CorreLog, Inc.

[email protected]

© 2015 CorreLog, Inc.

Page 2: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

Agenda

• Preface: Two Worlds of IT security

• Real-time Alerts: Make your mainframe

more secure by taking advantage of the

security tools you probably already have

• Why, What, How

• Brief Introduction to SIEM Systems

Page 3: InfoSecCon - CorreLog Peter Mills_final

Preface: Two Worlds of IT Security

Page 4: InfoSecCon - CorreLog Peter Mills_final

Security in the Mainframe World

Page 5: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

Security in the Network World

Security Operations Center

SIEM

Web Server

Routers

Firewalls

Linux Windows

Unix

Page 6: InfoSecCon - CorreLog Peter Mills_final

The Two Meanings of “Syslog”

• z/OS SYSLOG: “a data set residing in the primary job entry subsystem's spool space … used by application and system programmers to record communications about problem programs and system functions.” – MVS Planning: Operations

• That is not what the rest of the IT

industry means by “Syslog”

Page 7: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

“Syslog” – The Network Security

Meaning

• “The BSD syslog Protocol” – IETF RFC 3164 and follow-ons RFC 5424,

5425, 5426 and 6587

– Almost free-format text (ASCII) messages – <34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8

• <34> is encoded “facility” (security) and severity (critical)

– Transmitted via UDP or TCP/IP with optional SSL/TLS encryption

– Generated by routers, firewalls, UNIX systems, etc.

• No native Syslog capability: Windows and z/OS

Page 8: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

What’s a SIEM?

• Security Information and Event Management

• Collects Syslog messages

• Filtering

• Correlation: pattern recognition; establishing relationships among messages and events

• IP Geo-location

• Real-time Alerts

• Log management: cost-effective forensic (tamper-proof or tamper-evident) storage, indexing, analysis, search and reporting

• User and Application Monitoring

• Compliance reporting

• You probably spent or are spending at least six figures on a SIEM

Page 9: InfoSecCon - CorreLog Peter Mills_final

Real-Time Alerts: Let your mainframe take

advantage of network security tools

Page 10: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

Mainframe in the Network Security World

Security Operations Center

SIEM

Web Server

Routers

Firewalls

Linux Windows

Unix

Page 11: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

Why Integrate z/OS into your SIEM?

• Compliance: PCI DSS, HIPAA, GLBA, SOX, IRS Pub. 1075

– You need to include the box with 70% of the data

– CISOs and Auditors are discovering the mainframe

• z/OS is not invulnerable

– You already paid for a SIEM – why not use it to help protect z/OS?

– Add z/OS to the correlation mix

Page 12: InfoSecCon - CorreLog Peter Mills_final

Aren’t Mainframes Inherently Secure?

• “The mainframe is the most securable platform”

– Mark Wilson, RSM Partners, SHARE 2014

• “Insider threats are the leading

cause of data breaches in the

last 12 months” – Understand

The State Of Data Security And

Privacy: 2013 To 2014, Forrester

Research

Source: Wikimedia

Edward Snowden

• Is your mainframe more secure

than the NSA’s?

Page 13: InfoSecCon - CorreLog Peter Mills_final

Yes, z/OS Can be Breached!

• Per Gottfrid Svartholm Warg, alias anakata, co-founder of The Pirate Bay, a digital content piracy sharing site

• Convicted of violating Swedish copyright law in 2009 – flees to Cambodia

• Pursues vendetta against MPAA lawyer Monique Wadsted

• In 2010, hacks into her account on Infotorg, a browser-accessed database hosted on z/OS at Logica, a Swedish service bureau

• Hacks continue in 2011 and 2012

• Leverages CGI shell command injection into full scale hack against Logica during first quarter of 2012

Page 14: InfoSecCon - CorreLog Peter Mills_final

The Breach Becomes a Crisis

• Data including government agency files, credit cards, and 10,000 social security numbers

• Downloaded RACF databases, used password cracking tool* to decrypt thousands of passwords

• Installed backdoor to allow easy ongoing access

• Attempted to transfer 5.7 million Swedish kronor (~US$600,000) from Nordea Bank to accomplices

• Logica unable to contain breach and invokes Swedish “national event”

• Svartholm and an accomplice extradited from Cambodia and convicted June 2013

*John The Ripper – you can Google it –

includes explicit support for RACF

password decryption

Source: Wikimedia

Page 15: InfoSecCon - CorreLog Peter Mills_final

“Hackers against Society”

• Breach of CSC Denmark mainframe, April to August, 2012

• Downloaded and also may have modified information in the driver’s license registry and the Schengen database of wanted persons

• Same mainframe also served Danish Tax Authority, the citizen ID number registry and other public agencies

• October 31, 2014 Svartholm convicted and sentenced to three-and-one-half years in prison in Denmark. He is appealing

Page 16: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

Your Mainframe is not a Silo

• You may have separate mainframe and

network security teams, but hackers do

not

• Breaches are systemic, not platform-

specific

• Warg and his accomplices moved freely

among PC, Web, z/OS, UNIX – and

Hercules

• Protect your mainframe by correlating the

indicators

Page 17: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

Correlation is Power

• More failed TSO logons than normal may

not be significant …

• But what if correlated with more intrusion

detection system hits than normal, more

firewall hits than normal, more Web logon

failures than normal?

• That is what SIEM systems do – think how

powerful to add your mainframe into the

mix

Page 18: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

“Call the Doctor, not the Undertaker”

• Traditional mainframe approach is nightly reports

• But you want to find out about a breach now, not tomorrow morning

• The Network Security World has real-time tools – why not utilize them? – When was the last time a batch report sent you a text?

• Leverage the SIEM software you probably already own for real-time alerts

• Separation of duties: move the mainframe log files off the mainframe

• PCI DSS, IRS Pub. 1075, SOX all require secure, archived log of accesses – why use gigabytes of mainframe DASD?

Page 19: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

z/OS Events Available Real-time

• Everything RACF, ACF2 and Top Secret – Failures only, or audit successes too

• File integrity: who modified critical or sensitive files? – PDS, QSAM, VSAM and UNIX files written

– Renames and Scratches

• Start and end of TSO sessions – Optionally started tasks, batch jobs, ABENDs, etc.

• TCP/IP, TN3270 and FTP sessions and failures

• New! IND$FILE events

• Everything needed from DB2 for PCI DSS

• Audited CICS Transactions

• Partner events: NewEra, Vanguard, …

• Console messages, IMS, …

• All real-time – no periodic FTP

Page 20: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

What IP Address Edited

SYS1.PARMLIB?

<69>Mar 26 05:18:00 mvssysb TCP/IP: Subtype:

Telnet SNA init - TermNm: TCPB2931 - RemtIP:

58.14.0.140

<29>Mar 26 05:18:22 mvssysb SMF: Start - Work: TSO - JobID: TSU00863 - Group: RESTRICT - UserID: SYS013B - TermNm: TCPB2931

<118>Mar 26 05:22:09 mvssysb DFSMS: Action:

Add/Replace - JobNm: RU018A - Step: $TSUSER -

Proc: $TSUSER - DSN: SYS1.PARMLIB - Vol: LS0501

- Flag: Replace - Mem: IEAAPF00 - UserID:

SYS013B - POE: TCPB2931 - Group: RESTRICT

Page 21: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

RACF Events

<35>Nov 27 19:44:00 SYSB RACF: RESOURCE

ACCESS: Insufficient Auth - UserID: RU018B -

Group: RESTRICT - Reas: AUDIT option - Job:

RU018BTR - Res: SYS1.PROD.PROCLIBT - Req: READ

- Allow: NONE - Vol: SYS001 - Type: DATASET -

Prof: SYS1.PROD.PROCLIBT - Owner: DATASET -

Name: ROBERT SMITH - POE: INTRDR

<35>May 14 11:11:46 SYSB RACF: INIT/LOGON:

Invalid Password - UserID: QAMLB2 - Group:

TSOHOLD - Auth: 00 - Reas: VERIFY failure -

Term: TCPA2959 - Name: MARIE BERGERON - POE:

TCPA2959

Page 22: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

ACF2 Security Events

• Logon ID Modification, Dataset & Program Security Journal, Invalid Password Authority, Resource Access Violation, Restricted Logon ID and similar mainframe security events

• Example: mvssysb ACF2: EventDesc: Logonid modification - ChgDesc: Delete - JobNm: DECRO01 - UserID: DECRO01 - Pgm: ACF02ALT - Name: ROSS DECENT - Rel#: 140 - RdrTime: 2012-07-03T16:19:43.880 - ASID: XE34 - DelTime: 2012-07-03T17:19:51.028 - UID: OMVSDGRPAAABDECRO01

Type of Event User ID

User Name

Page 23: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

File Integrity Monitoring

• Be alerted to modifications of critical

system files

SYSB RACF: RESOURCE ACCESS: Successful

Access - UserID: RU018B - Group: RESTRICT -

Auth: Normal check - Reas: AUDIT option -

Term: TCPA2953 - Job: RU018B - Res:

RU018B.AUDITALL.TEST1 - Req: UPDATE - Allow:

ALTER - Vol: LS0158 - Type: DATASET - Prof:

RU018B.AUDITALL.* - Name: ROBERT SMITH

User

Name

Type of Access

Terminal

File Name

Page 24: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

TCP/IP and FTP Events

<69>Mar 26 17:32:46 mvssysb TCP/IP: Subtype: FTP

server complete - Stack: TCPIP - Op: Retrieve -

FileType: SEQ - RemtDataIP: ::ffff:10.31.0.209 -

UserID: RX239JB - DStype: HFS - Start: 11037

22:32:45.21 - Dur: 0.78 - Bytes: 56324 - SessID:

FTPD100335 - DSN: /u/rx239jb/Source/Fields.C -

Security: {Mech: None - CtlProt: None - DataProt:

None - Login: Password}

<69>Mar 25 18:53:21 mvssysb TCP/IP: Subtype: FTP

server logon fail - Stack: TCPIP - AS: FTPD1 -

UserID: DV174A - RemtIP: ::ffff:10.10.8.66 -

LogonUserID: DV174A - Reas: Password invalid -

SessID: FTPD100026 - Security: {Mech: None -

CtlProt: None - DataProt: Undefined - Login:

Password}

Page 25: InfoSecCon - CorreLog Peter Mills_final

IND$File Events

Page 26: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

New! IND$defender

• IND$FILE is a useful tool but completely

unaudited • May 28 16:18:10 MVSSYSB CorreLog: SubT:

IND$FILE Audit - SubCmd: GET - DSN:

SYSP.DB2.DBRMLIB.DATA - Mem: DSN8BC3 -

Type: Partitioned - RdrTime: 2015-05-

28T20:16:41.164 - UserID: DEV013 - Name:

CHARLES MILLS - Group: RESTRICT - RemtIP:

129.42.38.1 - JobID: TSU00637 - TermNm:

NVA00076 - Dur: P00:00:02.660

Page 27: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

UNIX File System Events

Jun 20 14:33:35 mvssysb zFS: APID: 67305918 - Cat: zFS - OGroup: 675 - JobNm: MDRZ620A - PGroup: 84083495 - PID: 84083495 - Group: ZDEV - Start: 2014-06-20T11:56:49.390 - Uid: DV001 - SessID: 84083495 - StepNm: MDRZSYS - SubT: File close - OUid: 500021 - In: 4255 - DirBlks: 10 - DevNo: 0069 - Inode: 133 - BlksRead: 2 - FName: /source/views/$shared$.views.xml - Reads: 3 - Close: 2014-06-20T14:33:34.879 - Token: 6943232 - Open: 2014-06-20T14:33:34.856 - Type: Regular

Full path name

OMVS UID

z/OS Job Name

Page 28: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

Operational Events

<29>Mar 04 04:42:01 mvssysb SMF:

End - Work: STC - Sysname: SYSB

- JobNm: MITDB41T - JobID:

STC07802 - Step#: 1 - Group:

DFLTSTC - UID: LSCSTC - RC:

U0011-0

Page 29: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

DB2 Events

<110>Mar 24 15:29:00 mvssysb DB2: Subsys: DA1L -

IFCID: Audit administrative authorities - UserID:

RU018B - AuthID: RU018B - CorrID: RU018BD3 - Auth:

SYSADM - Priv: SELECT - ObjType: Table or view -

Cmd: SELECT * FROM SYSIBM.SYSTABLES - SrcQual:

SYSIBM - Src: SYSTABLES

<110>Mar 24 15:44:20 mvssysb DB2: Subsys: DA1L -

IFCID: Authorization failures - UserID: RU018A -

AuthID: RU018A - CorrID: RU018ADS - Priv: SELECT -

ObjType: Table or view - SrcQual: CORE1010 - Src:

NEWPHONE - Node: JES2SYSB - Group: RESTRICT - POE:

INTRDR - Sql: SELECT * FROM CORE1010.NEWPHONE

Page 30: InfoSecCon - CorreLog Peter Mills_final

Introduction to SIEMs

Page 31: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

Types of SIEMs

• Conventional Software/Appliance/Virtual Appliance – Running on Linux, UNIX or Windows

– HP ArcSight ESM

– IBM Security QRadar

– LogRhythm

– AlienVault (Open Source)

– McAfee (Intel Security) ESM

– RSA (EMC) Security Analytics (enVision)

– CorreLog SIEM Correlation Server

– Splunk – do not call themselves a SIEM but customers use as a SIEM, and Gartner positions as a SIEM

Page 32: InfoSecCon - CorreLog Peter Mills_final

SIEM in the Cloud: MSSP

• Managed Security

Service Provider

– Some are hybrids with

on-site “concentrator”

appliance

– Dell SecureWorks

– IBM Managed Security

Services

– Verizon

– NTT Solutionary

Page 33: InfoSecCon - CorreLog Peter Mills_final

Correlation

Page 34: InfoSecCon - CorreLog Peter Mills_final

Real-Time Text Alerts

Page 35: InfoSecCon - CorreLog Peter Mills_final

Compliance Scorecards

Page 36: InfoSecCon - CorreLog Peter Mills_final

z/OS to SIEM Integration

• ArcSight and QRadar include free or low-cost connectors – Frequent FTP

– Limited functionality

• Splunk-specific agent from Syncsort

• CorreLog SIEM Agent for z/OS – SIEM Agnostic

– 100% Real-time

CorreLog SIEM

Agent for z/OS

Any SIEM

or MSSP

No intermediate

“formatting box”

UDP, TCP/IP or

ICSF-encrypted

TCP/IP

Page 37: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

SIEM Agnostic

• HP ArcSight CEF Certified

• IBM Security QRadar “Ready for Security Intelligence”

• Intel Security (McAfee Nitro) Partner

• NTT Solutionary Partner

• RSA Security Analytics Certified

• Dell SecureWorks

• LogRhythm

• Splunk

Page 38: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

z/OS Events in HP ArcSight ESM

Page 39: InfoSecCon - CorreLog Peter Mills_final

z/OS Events in Splunk

Page 40: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

z/OS Events in Splunk App

Page 41: InfoSecCon - CorreLog Peter Mills_final

CorreLog Visualizer for z/OS

Security Operations Center

SIEM

z/OS Departmental SIEM

z/OS Group

Page 42: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

Mainframe Events in z/OS

Visualizer

Page 43: InfoSecCon - CorreLog Peter Mills_final

Point-and-Click Drill-Down to Detail

Page 44: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

CorreLog z/OS Agent + Visualizer

• Compatible with – will “front end” – any

enterprise SIEM

• Point-and-click window into z/OS events

– Security, TSO, started tasks, ABENDs, FTP,

DB2

• Real-time: up-to-the-second, timely data

• “Log analysis”

• “Big SIEM” features like correlation, point-

and-click, reports, text alerts, etc.

Page 45: InfoSecCon - CorreLog Peter Mills_final

In conclusion …

• We have covered

– The two worlds of IT security

– Why and How to get real-time

event alerts by making your

mainframe part of your overall

enterprise security posture

– A brief introduction to SIEMs

• Thank you!

Page 46: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

Questions?

Page 47: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

For more information …

• www.CorreLog.com

[email protected]

[email protected]

Local rep: Brian Cain

(877) CorreLog x.413 | C: (239) 839-8627

(239) 514-3331 x.413 | F: (239) 687-3505

Page 48: InfoSecCon - CorreLog Peter Mills_final

© 2015 CorreLog, Inc.

Legal

• Trademarks – CorreLog® is a registered trademark, and dbDefender is a trademark, of CorreLog, Inc.

– The following terms are trademarks of the IBM Corporation in the United States or other countries or both: DB2®, IBM®, MVS, Q1®, QRadar®, RACF, System z, Tivoli®, z/OS®, zSecure®, zSeries®

– ACF2® and Top Secret® are registered trademarks of CA Inc.

– ArcSight is a trademark of Hewlett-Packard Development Company, L.P.

– Gartner® is a registered trademark of Gartner, Inc.

– LogRhythm is a trademark of LogRhythm, Inc.

– McAfee® is a registered trademark of McAfee, Inc.

– PCI Security Standards Council is a trademark of The PCI Security Standards Council LLC.

– Splunk® is a registered trademark of Splunk, Inc.

– UNIX® is a registered trademark of The Open Group.

– Vanguard Integrity Professionals is a trademark of Vanguard Integrity Professionals

– Windows® is a registered trademark of Microsoft Corporation.

– Other company, product, or service names may be trademarks or service marks of others. No association with CorreLog, Inc. is implied.

• We acknowledge the PCI DSS Requirements and Security Assessment Procedures, Version 2.0, Copyright 2010 PCI Security Standards Council LLC.